Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 11:24
Behavioral task
behavioral1
Sample
Open AI Sora Vesion 5.42.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Open AI Sora Vesion 5.42.exe
Resource
win10v2004-20240709-en
General
-
Target
Open AI Sora Vesion 5.42.exe
-
Size
157.9MB
-
MD5
167af794837fe9de07ee83acdb74343e
-
SHA1
a3f718d502a0f9e8382d12da9704433b96ea53ed
-
SHA256
06c81d76f89cd374efcf4140b1f8239f30a89b1132608c3696e64199c9d9bd0c
-
SHA512
8e78779a4d43604e705335c45569137ddc0b8b5448d15c44c1bb0fae59c95457dfa896bb3671aec79a0082f104ffa61182453218f759669320b9cba909c0d588
-
SSDEEP
1572864:FHMlnmXXHfarJ2MH6rd07/eGpQvyLxCi70QzyhpPc2qfF4SagVnhqODQA86:NInmXXHfatH6dg/eiZzwJgFo
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
Processes:
Chrome Service.exepid process 1308 Chrome Service.exe -
Loads dropped DLL 1 IoCs
Processes:
Open AI Sora Vesion 5.42.exepid process 2384 Open AI Sora Vesion 5.42.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Open AI Sora Vesion 5.42.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" Open AI Sora Vesion 5.42.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 5 ipinfo.io -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Open AI Sora Vesion 5.42.exepowershell.exepowershell.exeChrome Service.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Open AI Sora Vesion 5.42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome Service.exe -
Processes:
Open AI Sora Vesion 5.42.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Open AI Sora Vesion 5.42.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Open AI Sora Vesion 5.42.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1288 powershell.exe 1288 powershell.exe 2220 powershell.exe 2220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Open AI Sora Vesion 5.42.exedescription pid process target process PID 2384 wrote to memory of 1288 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 1288 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 1288 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 1288 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 2220 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 2220 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 2220 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 2220 2384 Open AI Sora Vesion 5.42.exe powershell.exe PID 2384 wrote to memory of 1308 2384 Open AI Sora Vesion 5.42.exe Chrome Service.exe PID 2384 wrote to memory of 1308 2384 Open AI Sora Vesion 5.42.exe Chrome Service.exe PID 2384 wrote to memory of 1308 2384 Open AI Sora Vesion 5.42.exe Chrome Service.exe PID 2384 wrote to memory of 1308 2384 Open AI Sora Vesion 5.42.exe Chrome Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f188e3bc1f56233ad66940e065992430
SHA1101c070894ff5b44cbf1edeacde3493fae3db702
SHA256a06622be12871746dd7b3fa4118c97321e3c3efaabd9533c7085b2dbba6a44bd
SHA5126da9917fea7503a6b777452b459fcdcfae60a80ef047858ddadebb9079bc9134424ad2bd55073c8be5dd1cd86aa3ef5572528e8ca0d67301c95eb15f0062325b